SEC540: Secure DevOps and Cloud Application Security

Mon, March 11 - Fri, March 15, 2019

Great course content! Lots of hands-on exercises, with a great instructor who patiently walks us through it all.

Anand Danpegaonear, Asurion

This course offers excellent depth, and demonstrates the complexities of cloud architecture and security.

Neil Erath, Chubb

SEC540 gives developers and security professionals the tools needed to build and deliver secure software using DevOps and cloud services, specifically Amazon Web Services (AWS). It explains how the principles, practices, and tools of DevOps and AWS can improve the reliability, integrity, and security of applications.

The first two days of the course examine the implementation of Secure DevOps using lessons from successful DevOps security programs. Using popular open-source tools such as GitLab, Puppet, Jenkins, Vault, Graphana, and Docker, you will create a secure DevOps CI/CD toolchain that can automatically build, test, and deploy infrastructure and applications. In a series of labs, you will inject security into your CI/CD toolchain using a variety of security tools, patterns, and techniques.

The final three days of the course will teach you to shift your DevOps workloads to the cloud and secure software using AWS. With your CI/CD toolchain, you will build a cloud infrastructure that can deploy applications and microservices to the cloud, instead of to local servers. You'll also analyze and fix cloud infrastructure and application vulnerabilities using AWS security services and tools such as API Gateway, IAM, CloudFront Signed URLs, Security Token Service, KMS, encryption, WAF, Lambda for Serverless computing, CFN NAG scanner, AWS Security Benchmark, and much more.

SEC540 makes extensive use of open-source materials and tooling for automated configuration management ("Infrastructure as Code"xf), Continuous Integration, Continuous Delivery, Continuous Deployment, containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring. It also uses Jenkins and AWS developer tools such as CloudFormation, CodeCommit, CodeBuild, CodePipeline, and other cloud application services, so you can experience the use of these services when securing infrastructure and applications.

Course Syllabus

SEC540.1: Introduction to Secure DevOps

Overview

The first course section introduces DevOps practices, principles, and tooling. We will examine how DevOps works, how work is done in DevOps, and the importance of culture, collaboration, and automation.

Using case studies of DevOps "Unicorns" - the Internet tech leaders who've created the DevOps DNA - we'll consider how and why these leaders succeeded, and examine the keys to their DevOps security programs.

We'll then look at Continuous Delivery, the DevOps automation engine. We'll explore how to build up a Continuous Delivery or Continuous Deployment pipeline, including how to fold or wire security controls into the CD pipeline, and how to automate security checks and tests in CD.

Exercises

Exploring CI/CD Tools and Pipelines

Deployment Data

Automating Static Analysis in CI

Automating Dynamic Analysis in CI/CD

CPE/CMU Credits: 6

Topics

Introduction to DevOps

Case Studies on DevOps Unicorns

Working in DevOps

Security Challenges in DevOps

Building a CD Pipeline

DevOps Deployment Data

Secure Continuous Delivery

Security in Pre-Commit

Security in Commit

Security in Acceptance

SEC540.2: Moving to Production

Overview

Building on the ideas and frameworks developed in Section 1, and using modern automated configuration management tools like Puppet, Chef, and Ansible, you'll learn how secure Infrastructure as Code allows you to quickly and consistently deploy new infrastructure and manage configurations.

Because the automated CD pipeline is so critically important to DevOps, you'll also learn to secure the pipeline, including RASP and other run-time defense technologies.

As the infrastructure and application code moves to production, we'll spend the second half of the day exploring container security issues associated with tools such as Docker and Kubernetes, as well as how to protect secrets using Vault and how to build continuous security monitoring using Graphana, Graphite, and StatsD.

Finally, we'll discuss how to build compliance into Continuous Delivery, using the security controls and guardrails that have been built in the DevOps toolchain.

Exercises

Managing Configuration with Puppet

Auditing Docker's Security

Monitoring with Dashboards, Granfana, and Graphite

Protecting Secrets with Vault

Auditing with OpenSCAP

CPE/CMU Credits: 6

Topics

Secure Infrastructure as Code: Building Security Policies into Infrastructure Code

Security with Puppet Lab

Securing Your CD Pipeline

Threat Modeling and Locking Down Your Build and Deployment Environment

SEC540.4: Cloud Application Security

Overview

In this section, you'll learn to leverage cloud application security services to ensure that applications have appropriate encryption, authentication, authorization, and access control, while also maintaining functional and high-availability systems.

Exercises

Encrypting Application Secrets with KMS and the SSM Parameter Store

Securing CloudFront Content with Signed URLs

Protecting REST Web Services with API Gateway

Protecting APIs with Lambda and JSON Web Tokens (JWT)

CPE/CMU Credits: 6

Topics

Data Protection

Data Storage (S3, RDS, DynamoDB)

Secrets Management

Approaches to Secrets Management

Key Management Service

Third-Party Solutions

Secure Content Delivery

Introduction to Content Delivery Networks

Restricting Origin Access with Origin Access Identities

CloudFront Trusted Signing and Access Control with Signed Cookies and URLs

Additional Information

Laptop Requirements

Laptop Requirements

Plan to arrive early on Day 1 (8:00 AM local time) for lab preparation and setup. During this time you can confirm that your AWS account is properly set up, ensure that your laptop has virtualization enabled, copy the lab files, and start the Linux virtual machine.

The instructor will be available to assist students with laptop prep and set-up from 8:00AM - 9:00AM. Class lecture begins at 9:00 AM (excludes vLive, Mentor, and OnDemand).

!!! IMPORTANT NOTICE:

It can take more than 24 hours for a new AWS free-tier account to become active. Please do the following at least one week prior to the start of class:

Register for a personal free-tier account.

Activate your new account.

Log in to the AWS Console with your root account.

Browse to the EC2 Service and verify that you see the dashboard (not an activation screen).

In the top right-hand corner of the page, select one the following supported regions (preferably the region closest to where the course is running):

- U.S. East (Northern Virginia

- U.S. West (Oregon)

- E.U. (Ireland)

- Asia Pacific (Tokyo)

From the left navigation bar, select "Limits."

Verify that you have at least 5 t2.micro instances available.

If your limits are less than 5 t2.micro instances, request an increase to open a ticket with the AWS support team.

BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly:

Download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to the start of the class.

If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 13.0, VMware Fusion 9.0, or VMware Workstation Player 13.0.

If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Prerequisites

A basic understanding of application security, common attacks, and vulnerabilities (e.g., the OWASP Top 10)

Familiarity with Agile development and Agile project/product management practices

Familiarity with Linux command shells and associated commands

Ability to understand basic coding concepts

Hands-on Labs

This course goes well beyond traditional lectures and delves into literal application of techniques, reinforcing learning through a number of hands-on labs. The labs will include a step-by-step guide to learning and applying hands-on techniques, but they also employ a "no hints" approach for those who want to stretch their skills and see how far they can get without following the guide. This allows each student, regardless of background, to choose a level of difficulty - always with a frustration-free fallback path.

What You Will Receive

Authors Statement

"DevOps and cloud are radically changing the way that organizations design, build, deploy, and operate online systems. Leaders like Amazon, Etsy, and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning, improving, and growing - and leaving their competitors far behind. Now DevOps and the cloud are making their way from Internet 'Unicorns' and cloud providers into enterprises.

Traditional approaches to security can't come close to keeping up with this rate of accelerated change. Engineering and operations teams that have broken down the 'walls of confusion' in their organizations are increasingly leveraging new kinds of automation, including Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers, and cloud service platforms. The question is: can security take advantage of the tools and automation to better secure its systems?"